lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: kf_lists at (KF_lists)
Subject: Altiris Carbon Copy Remote Control  local SYSTEM exploitation.

The only reason this was never disclosed was originally in hopes of 
proper vendor response... I spoke to their tech support about 5 times 
but they were just total morons. I eventually gave up.

I was going to write a shatter like attack so this could be exploited 
ala .exe file but I never had time.

Tested on Carbon Copy Version 6.0.5257

Start the Carbon Copy Service...
CCSRVC.exe is running as SYSTEM.

In the task bar you should see a little blue and white CC icon. Right 
click on it and choose show user interface. CCW32.exe will then be 
started with SYSTEM rights.

Choose help then "carbon copy help topics"... right click on the right 
hand side of the help pane and choose "view source". You should get 
notepad.exe running as SYSTEM. Click File then open... browse to cmd.exe 
right click and open it.

Now you have local SYSTEM

Carbon Copy Scheduler at one point in time had its own service as well 
so it could also be used to take SYSTEM... CCSched.exe runs as SYSTEM.
The schedulers help button can be used to take SYSTEM. The Add button 
will take you to an other screen with a browse button that can be used...

Several variations of this span the products various versions. The 
latest version I used did not contain the Scheduler Service...

I will eventually write up a proper advisory for this and an exploit 
but... like I stated above... just been too busy to write the exploit.



Brooks, Shane wrote:
> Can you elaborate a bit on the privilege escalation that you mentioned?  If the hole has indeed been there over a year, why not disclose it publicy?  Does anyone else have any info on Altiris vulnerabilities?  

Powered by blists - more mailing lists